North American Network Operators Group

Date Prev | Date Next | Date Index | Thread Index | Author Index | Historical

Re: Prefix Hijack Tool Comaprision

  • From: Jack Bates
  • Date: Thu Nov 13 15:33:13 2008

Todd Underwood wrote:
i said that *this* hijacking took place in an insignificant corner of
the internet. i mean this AS-map wise rather than geographically.
this hijacking didn't even spread beyond one or two ASes, one of whom
just happened to be a RIPE RIS peer.

Yet for someone monitoring from their own perspective, what matters to them is what their own AS is seeing. If a hijacking makes it to their AS, they want to be concerned.

real hijackings leak into dozens or hundreds or thousands of ASNs.
they spread far and wide. that's why people carry them out, when they
do. this one was stopped in its tracks in a very small portion of one
corner of the AS graph.

Wasn't there a dns hijack not long ago that only had the scope of one ISP (who just happened to be extremely large and carried a bunch of cell phones)? Just because a hijack only covers a small portion of the net doesn't make it any less effective. This is why we push to get as many access controls as far out to the edge as possible. If it only effects the person who tries it, then it has no bearing.

as such, i don't count it as a hijacking or leak of any great
significance and wouldn't want to alert anyone about it.  that's why i
recommend that prefix hijacking detection systems do thresholding of
peers to prevent a single, rogue, unrepresentative peer from reporting
a hijacking when none is really happening.  others may have a
different approach, but without thresholding prefix alert systems can
be noisy and more trouble than they are worth.

Thresholds might be important, but different mileage, yada yada.